CVE-2025-36755 is a low-severity vulnerability in the CleverDisplay BlueOne hardware player, identified as CWE-1244 (Internal Asset Exposed to Unsafe Debug Access Level or State). The device’s USB interfaces are designed to be physically enclosed and inaccessible during normal operation. However, researchers demonstrated that by physically circumventing the enclosure, an attacker can connect a USB keyboard and press the ESC key during the boot process to access the BIOS setup interface. While BIOS settings can be viewed, they cannot be modified, thus preventing direct integrity or availability compromise. This exposure increases the attack surface by leaking internal system information, which could aid attackers in reconnaissance or further targeted attacks. The vulnerability does not require authentication or user interaction beyond physical access and enclosure removal. The CVSS 4.0 vector indicates a physical attack vector (AV:P), low complexity (AC:L), no privileges or user interaction required, and only a low impact on confidentiality (VC:L) with no impact on integrity or availability. No known exploits are currently in the wild, and no patches have been released, likely due to the limited risk and physical access requirement.

For European organizations, the primary impact is information disclosure of BIOS settings, which could facilitate more sophisticated attacks if combined with other vulnerabilities or insider threats. While the inability to modify BIOS settings limits direct compromise, knowledge of BIOS configurations can reveal system architecture, boot order, and security features, potentially aiding attackers in bypassing protections or deploying firmware-level malware. Organizations with BlueOne hardware players deployed in physically accessible or less secure locations face a higher risk. This is particularly relevant for sectors with distributed digital signage or media players, such as retail, transportation hubs, or public venues. The impact on confidentiality is low, and there is no direct threat to system integrity or availability under normal configurations. However, the vulnerability highlights the importance of physical security controls in hardware deployments.

To mitigate this vulnerability, European organizations should prioritize strengthening physical security around BlueOne devices to prevent unauthorized enclosure removal. This includes tamper-evident seals, locked cabinets, or secure mounting to restrict physical access. Regular physical inspections and monitoring for signs of tampering can help detect attempts to exploit this vulnerability. Additionally, organizations should consider disabling USB ports if not required or implementing BIOS-level protections such as password protection on BIOS settings to prevent unauthorized access even if the interface is reached. Network segmentation and monitoring can limit the impact if an attacker gains further access. While no software patch is currently available, maintaining updated firmware and following vendor advisories is recommended. Awareness training for staff managing physical devices can also reduce risks.